Electronic Presentations in Microsoft® PowerPoint® Prepared by Brad MacDonald SIAST © 2003 McGraw-Hill Ryerson Limited Page references in these notes are taken from the second draft of the text revision

Auditing in a Computer Environment Computers are used by almost all audit clients. Thus, computer auditing is practicsd, to a greater or lesser extent, in almost all audits. Computers introduce electronic technology in four phases of the audit process: (1) planning the audit, (2) obtaining an understanding of the control structure and control risk, (3) testing controls, and (4) using the computer to obtain substantive evidence about account balances. Chapter 8 covers the basic concepts in all four phases with focus on simple systems.

Learning Objective 1 Explain how a computer accounting system differs from a manual accounting system.

Computer Environment The CICA Handbook prefers the use of EDP or Electronic Data Processing. There is no fundamental difference between computer auditing and auditing. Certain areas are not changed: the definition of auditing the purposes of auditing the generally accepted auditing standards the control objectives the requirement to gather sufficient and appropriate evidence the audit report Page 253

Elements of a Computer-Based System Hardware: The physical equipment. Software: System programs: Perform generalized functions for more than one program. Application programs: Sets of computer instructions that perform data processing tasks. Page 254

Elements of a Computer-Based System Documentation: A description of the system and control structures. Personnel: Persons who manage, design, program, operate,or control the system. Page 254

Elements of a Computer-Based System Data: Transactions and related information entered, stored, and processed by the system. Control procedures: Activities designed to ensure proper recording of transactions and to prevent or detect errors or irregularities. Page 254

Elements of a Computer-Based System Management is responsible for internal controls; the auditor is responsible to understand controls and assess control risk. Management can meet responsibilities and assist the auditor by ensuring documentation is current ensuring that systems produce an audit trail making computer resources and personnel available to the auditor as required Page 254

Effect of Computer Processing Characteristics that distinguish computer processing from manual processing: Transaction trails may not exist, or may exist only in machine readable formats. Uniform processing of transactions eliminates random errors, but may cause systematic errors. Many internal controls may be concentrated in the computer systems; persons who have access to the computer may be in a position to perform incompatible functions. Page 255

Computer Processing Characteristics that distinguish computer processing from manual processing: The potential for errors and irregularities through inappropriate access to computer data or systems may be greater. A potential for increased management supervision with a wide variety of analytical tools is created in computerized processing. Initiation or subsequent execution of transactions by computer may not generate evidence of authorization. Page 255

Learning Objective 2 List and discuss additional matters of planning auditors should consider for clients who use computers.

Planning The extent and complexity of computer processing may affect the nature, extent, and timing of procedures. The auditor should consider: the extent to which computers are used in accounting applications Auditors will need computer-related skills to understand the flow of transactions processed by computers. Page 256

Planning The auditor should consider: the complexity of computer operations: Auditors will need to assess training and experience relative to the methods of computer processing. the organizational structure of computer processing activities: Auditors must consider the degree of centralization and standardization in computer-related operations. Page 256 - 257

Planning The auditor should consider: the availability of data from the computer system Auditors must consider when information may no longer be available for review. the use of computer-assisted audit techniques (CAATs) to increase the efficiency of audit procedures the need for audit personnel with specialized skills Page 257 - 258

Learning Objective 3 Describe how the phases of control risk assessment are affected by computer processing.

Phase 1 - Understanding The purpose of Phase 1 is to obtain sufficient knowledge of controls for planning the audit. This will include a general knowledge of the organizational structure methods used to communicate responsibility and authority methods used to supervise the system Computer processing may affect each of these elements. Page 258 - 259

Organizational Structure Understanding of the organization of the client computer functions is required for assessment of risk. The auditor should obtain and evaluate a description of computer resources and computer operating activities a description of the organizational structure of computer operations and related policies This understanding helps the auditor decide on the amount of reliance to place on system controls. Page 258

Methods Used to Communicate Responsibility and Authority Auditors should understand how the computer resources are managed and how priorities for use are determined. Auditors should obtain evidence and evaluate information about the existence of accounting and other policy manuals formal job descriptions for computer department personnel Page 259

Methods Used by Management to Supervise the System Auditors should learn the procedures management uses to monitor the computer operations. Auditors should evaluate: a) systems design and documentation b) procedures for modification c) procedures limiting access d) financial and other reports e) internal audit function Page 259

Understanding the Accounting System Auditors should gain an understanding of the flow of transactions through the accounting system for each significant accounting application. Page 259

Phase 2: Assessing Control Risk To assess the control risk when a computer is used, auditors must do the following: Identify specific control objectives based on the types of misstatements that may be present. Identify the points in the flow of transactions where specific types of misstatement could occur. Identify specific control activities designed to prevent or detect misstatements. Page 260 See exhibit 8-1 for an illustration of points 1 and 2

Phase 2: Assessing Control Risk To assess the control risk when a computer is used, auditors must do the following: Identify the control activities that must function to prevent or detect misstatements. Evaluate the control activities to determine whether they suggest a low control risk and whether tests of controls might be cost effective. Page 260 See exhibit 8-1 for an illustration of points 1 and 2

Assessing Control Risk The information gathered should allow the auditor to decide the following: That: Control risk is assessed low, and it is cost effective to perform test of controls. Continue with testing of control. Control risk is assessed low, but it is not cost effective to perform tests of controls. Concentrate on substantive procedures. Control risk is assessed high. Page 261 - 262

Learning Objective 4 Describe and explain general control procedures and place the application control procedures covered in Chapter 6 in the context of computerized “error checking routines.”

Simple Computer Systems Characteristics of a simple computer system: All processing occurs at a central processing facility. Three or four people are involved in operations of a simple system. System may use batch processing or online processing. Page 262

Simple Computer Systems General control procedures: Those controls that relate to all or many computerized accounting functions. Organization and physical access Weakness or absence of access controls decreases the overall integrity of the computer system. Documentation and systems development Weakness or absence of documentation and development standards also decrease the integrity of the system. Page 263 - 266

Simple Computer Systems General control procedures: Hardware Auditor should be familiar with hardware controls. Data file and program control and security Controls are necessary to determine that the proper files and programs are being used, and that files are appropriately backed up. Page 266 - 267

Application Control Procedures Application controls are those used in each “application.” Application controls are grouped under three categories: input controls processing controls output controls Page 267 - 269

Application Control Procedures Input controls: Controls at input are primarily preventative. It is generally more cost effective to prevent errors than it is to detect and correct them. Processing controls: Primarily oriented at detecting misstatements. Output controls: Primarily oriented at correcting misstatements. Page 267 - 269

Control Risk in Simple Systems The purpose of review of controls is to understand the strengths and weakness of control systems. The general controls must be good in order for any application controls to be considered in planning the substantive procedures. The usual approach is to evaluate general controls first, then application controls. Pages 269 - 270

Learning Objective 5 Describe the characteristics and control problems of personal computer installations.

Personal Computer Environment Computer activity involving PCs should be included in determination of risk. PCs may be standalone systems or part of a distributed system. The control environment, not the technology, is the important consideration for the auditor In a PC environment, lack of segregation of duties may be a significant risk. Page 271

Personal Computer Environment PC Control Considerations: Most control problems can be traced to lack of segregation of duties and lack of computerized control procedures. Auditors should consider the entire control structure and look for compensating control strengths. Page 272

Personal Computer Environment Organizational control procedures: Limit concentration of functions as much as possible. Establish proper supervision. Operation control procedures: Controls over online entry are important. Restrict access to input devices. Use standard screens, computer prompting, and online editing procedures. Page 272 - 274

Personal Computer Environment Processing control procedures: Ensure processing is correct and complete. Capture entries in transaction logs. Make use of control totals. Perform periodic reconciliation of input to output. Systems development and modification: Purchased applications should be reviewed carefully. Page 272 - 274

Learning Objective 6 Explain the differences among auditing around the computer, auditing through the computer, and auditing with the computer.

Evaluation Approaches Auditing around the computer: Treat the computer as a “black box” and vouch and trace source documents and output. Adequate procedure where the computer is simply used as a calculator and printer. Auditing through the computer: Evaluate hardware, software, and controls. Uses computerized controls. Page 274 - 275

Learning Objective 7 Explain how the auditor can perform the test of controls audit of computerized controls in a simple computer system.

Tests of Computer Controls There are two approaches to using the computer in test of controls procedures: Test data: Test the programmed controls using simulated data. Parallel simulation: Audit the programmed controls with live data reprocessed with an independent audit program. Pages 275 - 279

Test Data A computer will process every transaction in a certain logical way exactly the same every time. Create hypothetical transactions to determine how the computer will handle errors. Test data is a sample of combinations of input data that may be processed through a system. Test data will contain planted errors in addition to good transactions. Pages 276 - 278

Parallel Simulation Auditors prepare a program to process data correctly and compare results to results of actual client processing. Generalized audit software makes the process more attractive. First audit using a parallel simulation is time consuming and expensive. Economies are realized in subsequent audits of the same client. Pages 278 - 279

Learning Objective 8 Describe the use of generalized audit software.

Generalized Audit Software Generalized audit software (GAS) programs are a set of functions that may be utilized to read, compute, and operate on machine-readable records. Used on audits where records are stored in computer files or databases. Page 280

Generalized Audit Software Auditing with the computer: GAS was developed to access machine-readable detail records. Original programming is no longer required. The GAS consists of a set of pre-programmed editing, operating, and output subroutines. Required programming is easy. Simple, limited set of programming instructions is used to call the subroutines. Page 280

Generalized Audit Software Audit procedures performed by generalized audit software: GAS can access huge volumes of machine-readable records, organizing them into a useful format for the audit team. GAS can be used for the following: computation confirmation inspection analysis Page 281

Using Generalized Audit Software Five phases in developing a GAS application: Define the audit objective. GAS is a tool, not an objective. Feasibility and planning Determine if GAS is efficient and effective for the audit at hand. Application design Coding and testing Processing and evaluation Pages 281 - 284

Learning Objective 9 Describe how the personal computer can be used as an audit tool.

Using the Personal Computer as an Audit Tool The PC is being used to perform clerical steps: working trial balance posting adjustments grouping accounts computing comparative statements computing common ratios preparing supporting working papers producing draft statements PCs are also used to assess control risk perform analytical functions access databases run decision-making support software perform CAATs Page 284 – 286 See exhibit 8-6

Learning Objective 10 Describe the effects of e-business on auditing.

E-Business Electric commerce (e-commerce) is any trade that takes place by electronic means. This economic activity has been greatly facilitated by the growing use of the Internet. Segments of e-commerce include: B2B – Business to business B2C – Business to consumer C2B – Consumer to business C2C – Consumer to consumer Page 286 - 291

E-Business The audit strategy in e-business is to first evaluate general controls and then consider application controls. General control risks include confidentiality, integrity, authentication, repudiation, and unauthorized access. Controls include use of encryption, hashing, digital signatures, passwords, transaction certificates, confirmation services, firewalls, and biometric devices. Page 292 - 294

Application Controls Credit card payments: Primary concern is the secure transmission credit card information. Protocols to ensure security include: Secure Socket Layers (SSL) Secure Electronic Transactions (SET) Auditors will need to compliance test the authentication, access, and confidentiality controls. Pages 294 - 296

Effects of E-Business on Auditors Auditors should expect to encounter electronic records rather than paper. Auditors will need to put more reliance on controls. The quality of audit evidence will become very dependent on controls over accuracy and completeness. Pages 297 - 298

Internet-based and Continuous Auditing A continuous audit enables the auditor to issue written assurance simultaneously, or shortly after the occurrence of the underlying events. Subject matter could be any type of information; for example, authenticity, integrity, or non-repudiation of e-commerce transactions. A CICA study has identified conditions necessary for a continuous audit. Pages 298 - 300 See individual point under heading Internet-based and Continuous Auditing and Exhibit 8-13.